What IP range do I ask the system administrator to open in order for S3 to work?

I've written some programs for Raspberry Pi, which some small companies have shown interest in. I sold pre-configured Raspberry Pi:s to them, with my program on them, and it works for everybody except one of the companies. They have very strict policies, which is understandable.

My program uses Amazon's S3 service. I've given instructions on what ports and services that need to be open in order for the program to work, to access S3, and the system administrator is saying ok to everything except one thing: They can't allow port 443 to the entire Internet. I need to specify IP ranges, they say.

I've been doing some research, and it seems that S3 needs a vast IP range in order to work, and the IP addresses needed just keep adding up. Most documentation I've found, spells out clearly that "port 80 and port 443 needs to be open" and that the IP addresses for the S3 servers vary.

Do you have any suggestions on what I can suggest? Are there firewalls that can filter by domain name (*.amazonaws.com)? Or is there anything else I can do? Is there an official IP range list for S3, that is updated regularly?

Any help from you would be very appreciated. Thanks.


Solution 1:

Before you start building allowed IP range, identify the region. The list of S3 regions is available here.

Let's assume you need an IP range for s3-us-west-2.amazonaws.com.

You can get it by executing the following commands on a Linux system, or equivalent commands on other systems.

Get IP address for the domain:

$ host s3-us-west-2.amazonaws.com
s3-us-west-2.amazonaws.com has address 54.231.161.248

Domain will have multiple IP addresses associated to it, which possibly will be in separate networks. Try to run this command multiple times to see if IP addresses returned are in the same network. If not, try to identify IPs from separate networks and run the below command on all of such IPs. Unfortunately there is no way to ask a DNS server to return all A records associated with a particular domain.

Run whois to get information about IP address:

$ whois 54.231.161.248
...
NetRange:       54.230.0.0 - 54.231.255.255
CIDR:           54.230.0.0/15
...

Whois output will include a whole lot of extra information which you don't need and the output may differ for different IP addresses. However you should be able to find IP range in it's output.

Alternative approach:

Amazon has a forum post which lists their IP ranges and gets updated regularly, so you can use that as well.

Because those IP ranges are going change over time, ideally you will want to have a script which will probe them for you and give a notice when new IPs are discovered. As noted in the comment below, you probably don't want your firewall configuration to be updated without first confirming that IP ranges are correct.

Solution 2:

Amazon now publish an automatically updated list of IP ranges for each service here: https://ip-ranges.amazonaws.com/ip-ranges.json - see http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html for semantics and how to get notified on changes.